CVE-2023-22332 - OpenCVE

Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pgpool	Pgpool-ii

Configuration 1 [-]

OR	cpe:2.3:a:pgpool:pgpool-ii::::::::
	cpe:2.3:a:pgpool:pgpool-ii::::::::
	cpe:2.3:a:pgpool:pgpool-ii::::::::
	cpe:2.3:a:pgpool:pgpool-ii::::::::
	cpe:2.3:a:pgpool:pgpool-ii::::::::
	cpe:2.3:a:pgpool:pgpool-ii::::::::

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN72418815/
https://www.pgpool.net/mediawiki/index.php/Main_Page#News

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2023-01-30T00:00:00

Updated: 2024-08-02T10:07:06.111Z

Reserved: 2022-12-28T00:00:00

Link: CVE-2023-22332

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-01-30T07:15:10.003

Modified: 2023-02-06T19:54:28.683

Link: CVE-2023-22332

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC6F9DF2-27FB-43BE-B4EB-5296C01BD28E", "versionEndIncluding": "3.7.12", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEFBFF5E-DE69-4F94-B4BD-53C8C91CA850", "versionEndExcluding": "4.0.22", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "1800AB14-AF70-4D4D-8E3D-FCFC7790F1FC", "versionEndExcluding": "4.1.15", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D3373F7-66DD-4A05-B7AF-8ABEAF99F4F9", "versionEndExcluding": "4.2.12", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA369670-DE4B-478A-87C8-57A60929B885", "versionEndExcluding": "4.3.5", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pgpool:pgpool-ii:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A6FBCE3-2494-4B70-A094-289DE7AC6D64", "versionEndExcluding": "4.4.2", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials."}, {"lang": "es", "value": "Una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n existe en Pgpool-II 4.4.0 a 4.4.1 (serie 4.4), 4.3.0 a 4.3.4 (serie 4.3), 4.2.0 a 4.2.11 (serie 4.2), 4.1.0 a 4.1. 14 (serie 4.1), 4.0.0 a 4.0.21 (serie 4.0), Todas las versiones de la serie 3.7, Todas las versiones de la serie 3.6, Todas las versiones de la serie 3.5, Todas las versiones de la serie 3.4 y Todas las versiones de la serie 3.3. La informaci\u00f3n de autenticaci\u00f3n de un usuario de base de datos espec\u00edfico puede ser obtenida por otro usuario de base de datos. Como resultado, la informaci\u00f3n almacenada en la base de datos puede verse alterada y/o la base de datos puede ser suspendida por un atacante remoto que haya iniciado sesi\u00f3n exitosamente en el producto con las credenciales obtenidas."}], "id": "CVE-2023-22332", "lastModified": "2023-02-06T19:54:28.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-30T07:15:10.003", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN72418815/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.pgpool.net/mediawiki/index.php/Main_Page#News"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}